In OpenShift Container Platform 4, a privilege escalation path exists in Builds via the re-use of credentials mounted into /run/secrets. An OpenShift user able to execute code in a build container can re-use the credentials to overwrite arbitrary container images in internal registries and potentially execute arbitrary code.
Upstream fix: https://github.com/openshift/builder/pull/206
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0308 https://access.redhat.com/errata/RHSA-2021:0308
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3344
Mitigation: The affected build strategies include docker, source and custom builds, hence these can be disabled as per the documentation[1]. This does however, exclude the Jenkins build strategy as it is not affected and does not have to be disabled. [1] https://docs.openshift.com/container-platform/4.6/builds/securing-builds-by-strategy.html On clusters where builds are allowed only grant permissions to perform builds to users who you wish to be to able to view, modify and edit all cluster resources.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0428 https://access.redhat.com/errata/RHSA-2021:0428